The ongoing DDoS attack on GitHub, which has made the social coding site intermittently unresponsive since March 25, is essentially a side effect of an older operation from the Chinese government against a site run by the anti-censorship project GreatFire.org.
Officials at GreatFire said that the attack on their infrastructure began on March 17 and involved essentially the same techniques employed in the attack on GitHub. Unlike a typical DDoS attack, these operations don’t involve specialized attack tools. Instead, the attacks on GitHub and GreatFire use traffic hijacked from unsuspecting Internet users around the world that is then sent to the targets. The traffic hijacking is done through the use of Javascript Baidu Web analytics code placed on thousands of sites, and when a user visits a page containing the code, the code makes a request to Baidu’s network inside China.
According to an analysis of the attacks by researchers at Swedish vendor Netresec AB, that’s where the Chinese government intervenes.
“The web browser’s request for the Baidu javascript is detected by the Chinese passive infrastructure as it enters China. A fake response is sent out from within China instead of the actual Baidu Analytics script. This fake response is a malicious javascript that tells the user’s browser to continuously reload two specific pages on GitHub.com,” the analysis says.
That tactic is virtually identical to one used in the attack on GreatFire earlier in March, GreatFire officials said.
“Millions of global internet users, visiting thousands of websites hosted inside and outside China, were randomly receiving malicious code which was used to launch cyberattacks against GreatFire.org’s websites. Baidu’s Analytics code (h.js) was one of the files replaced by malicious code which triggered the attacks. Baidu Analytics, akin to Google Analytics, is used by thousands of websites. Any visitor to any website using Baidu Analytics or other Baidu resources would have been exposed to the malicious code,” the Great Fire analysis says.
The root cause of both attacks appears to be the Chinese government’s dislike for the content on GreatFire, which provides anti-censorship tools and monitors censored sites and keywords inside China. When the DDoS attack on GreatFire began, the group began mirroring some of its content on its GitHub page and pointed users to it. The DDoS attack traffic then began flowing toward GitHub, aimed directly at the GreatFire mirror URL and another URL that hosts Chinese content. Malicious Javascript is being used to hijack users’ traffic and send it to the GitHub pages.
GitHub officials have been working to mitigate the effects of the DDoS attacks, with varying degrees of success. The latest status update from GitHub on Tuesday morning shows that the service is operating normally at the moment. GreatFire officials have published a detailed report on the attack, and have concluded that the Chinese government is behind both DDoS attacks.
“When we first blogged about this attack we did not want to level accusations without evidence. Based on the technical forensic evidence provided above and the detailed research that has been done on the GitHub attack, we can now confidently conclude that the Cyberspace Administration of China (CAC) is responsible for both of these attacks,” the GreatFire blog post says.
